Re: Google doesn't respect its own 90 days deadline!
The press release doesn't make it clear when the CVE was made public. As the bugfix has just gone into the stable version of the browser, it will have been fixed in beta and canary channels earlier and presumably available as a hotfix if required.
Not that Google might not get caught out by its 90 day rule at some point but at the moment it has the PR on its side.
From the security page:
One of the quickest ways to get involved is finding and reporting security bugs. It will get prompt attention from a security sheriff, be kept private until we coordinate disclosure, and possibly qualify for a cash reward through our Vulnerability Rewards Program. We occasionally run security contests outside of our regular reward program (e.g. Pwnium2, Pwnium3) too.
Oh, and the code is all open source so that miscreants have a head start finding bugs. Except, of course, that automated scans are better than code review for detecting exploits.